Blockchain Abnormal Behavior Awareness Methods: A Survey

Yan
et al. Cybersecurity (2022) 5:5

https://doi.org/10.1186/s42400-021-00107-4
Cybersecurity
SURVEY Open Access
Blockchain abnormal behavior awareness

methods: a survey
Chuyi Yan1,2, Chen Zhang1,2, Zhigang Lu1,2, Zehui Wang1,2, Yuling Liu1,2* and Baoxu Liu1,2
Abstract
With the wide application and development of blockchain technology in various fields such as finance, government
affairs and medical care, security incidents occur frequently on it, which brings great threats to users’ assets and
information. Many researchers have worked on blockchain abnormal behavior awareness in respond to these threats.
We summarize respectively the existing public blockchain and consortium blockchain abnormal behavior awareness
methods and ideas in detail as the difference between the two types of blockchain. At the same time, we summa-
rize and analyze the existing data sets related to mainstream blockchain security, and finally discuss possible future
research directions. Therefore, this work can provide a reference for blockchain security awareness research.
Keywords: Blockchain, Abnormal behavior, Awareness, Supervision, Security detection
Introduction National Vulnerability Database, the number of security

With the development of big data, cloud computing, and incidents in the blockchain field in 2020 alone was as high
artificial intelligence, society enters the era of the Value as 555, causing economic losses of up to 17.9 billion dol-
Internet. These technologies have profoundly affected lars, an increase of 130% from 2019 (CNCERT/CC 2020).
the world’s production and lifestyle, making the world Security incidents in the blockchain include both service
have a subversive change. The Value Internet era pays application security incidents (such as Ponzi schemes,
more attention to the value of data, and the characteris- money laundering, etc.) and security incidents caused by
tics of blockchain technology such as decentralization, technical defects (such as smart contract vulnerabilities,
anonymity, and non-tamperability fully cater to the era’s imperfect incentive mechanisms in the consensus, etc.).
attention. Since the Ministry of Industry and Information Among them, the notorious “The DAO” event originated
Technology released the “White Paper on China’s Block- from the vulnerabilities of smart contracts in Etherum
chain Technology and Application Development (2016)” Classic (ETC) (Mehar et al. 2019). Hackers carried out
in 2016, China has paid more and more attention to the a reentry attack on its “transfer first, then reset” model,
development of blockchain, and blockchain projects have which led to the hard fork of Ethereum and Ethers worth
also shown a blowout scene in all walks of life. However, more than 60 million dollars was stolen. For the block-
the thriving blockchain industry has a “hidden crisis”, so chain consensus mechanism, ETC encountered 51%
it is necessary to aware the security of the blockchain in attacks in January 2019 (Voell 2020). The attacker dou-
multiple dimensions to maintain the healthy develop- ble-spent at least 4 transactions with more than 51% of
ment of the blockchain industry. the computing power within 4 h, a total of 54,200 ETC,
Blockchain security incidents emerge endlessly. worth 271 thousand dollars. For the blockchain service
According to the incomplete statistics of the China security incidents, the OneCoin incident (Attorney 2019)
and Rubixi smart contracts (Rubixi 2016) both involve
*Correspondence: liuyuling@iie.ac.cn Ponzi schemes, in which the OneCoin incident “evapo-
1
Institute of Information Engineering, Chinese Academy of Sciences, rates” 1 billion dollars from victims. According to the
Beijing 100093, China Massachusetts Institute of Technology (MIT) technology
Full list of author information is available at the end of the article
© The Author(s) 2022. Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which
permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the
original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or
other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line
to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory
regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this
licence, visit http://creativecommons.org/licenses/by/4.0/.
Yan et al. Cybersecurity (2022) 5:5 Page 2 of 27
report(Orcutt 2020), criminals laundered 2.8 billion dol- it is slow, and the public chain is in a weak trust environ-
lars through cryptocurrency exchanges just in 2019. ment. On the other hand, the consortium blockchain is
The reasons for security incidents are also multi- only for specific groups, whose access requires authoriza-
dimensional. Firstly, due to the nature of the distributed tion. Secondly, the semi-centralized method can achieve
ledger of blockchain itself, there are more applications controllable anonymity. Thirdly, the service on the gen-
with transactional properties; Secondly, the emerging eral consortium blockchain is relatively simple, so the data
blockchain technology is not that perfect and the thresh- scale is small and the behavior diversity is simple. In addi-
old of use required by users is relatively high and many tion, because of the above-mentioned reasons, the transac-
users have poor security awareness; Thirdly, transactional tion speed on the consortium blockchain is faster than the
projects usually have more funds stored in them, and the public blockchain, and it is in a strong trust environment.
attackers are profitable, which leads to frequent security Because of the differences between the public block-
incidents. If we can aware the existence of threats, then chain and the consortium blockchain (Table 1), the
we can avoid related property losses (Gong et al. 2017; Xi awareness methods are different too. For example, when
et al. 2012). At present, blockchain behavior awareness the data scale is small and the behavior pattern is simple,
is the use of technologies such as data mining, machine it is difficult to collect a large amount of data, which will
learning and deep learning in the different aspects of result in insufficient training data set size so the aware-
blockchians to detect and predict the risks on them. ness model is more difficult to produce, i.e., it is difficult
Various methods of behavior awareness can be used to to use the awareness method that heavily depends on the
detect threats for the above events, which can respond data set. When the degree of anonymity and centraliza-
to attacks in advance and reduce the risk of using block- tion are different, the methods of identification are also
chains. The following work will describe the awareness different. In a completely decentralized environment, it
technologies in detail of various abnormal events. is necessary to establish a reasoning relationship between
Blockchain can be divided into the public blockchain, entities to realize the identification. When the transaction
consortium blockchain, and private blockchain according speed is different, the awareness methods for network
to different application scenarios. Since the consortium attacks (such as eclipse attacks) will also be different.
blockchain can be understood as the alliance of multiple Therefore, according to the application scenarios of
private organizations, so consortium blockchain and pri- the blockchain, we introduce the behavior awareness
vate blockchain are combined for discussion. The differ- methods on the public blockchain and the consortium
ence between the public blockchain and the consortium blockchain in “Public Blockchain Abnormal Behavior
blockchain (private blockchain) is shown in Table 1. The Awareness” and “Consortium Blockchain Abnormal
public blockchain refers to a blockchain that anyone in Behavior Awareness” sections. Combining various exist-
the world can read, send transactions which can be effec- ing blockchain behavior awareness methods, we sum-
tively confirmed, and can participate in the consensus marize and analyze the existing mainstream blockchain
process (Guegan 2017). Firstly, there is no restriction on security data sets in “Blockchain Security Data Sets
the access group, and all nodes can enter and exit freely Summary and Analysis” section in order to facilitate
(Kwon and Buchman 2018). Secondly, its data is disclosed blockchain security researchers to conduct experiments
to the entire network, which is completely decentralized. and research. Finally, we discuss some possible future
Thirdly, the data that can be collected on it is large in scale research points of blockchain behavior awareness in
and has complex behavioral diversity. In addition, because “Conclusion” section. Figure 1 shows the content struc-
of the existence of massive data, the transaction speed on ture of this article.
Table 1 The difference between public blockchain and consortium blockchain

Access Centralization Anonymity Trust Transaction Data scale Behavioral Typical
characteristics environment speed diversity applications
Public block- Unlimited group Decentralization High anonymity Week Slow Large Complex Bitcoin
chain Free access Ethereum
(Li 2020; Wei
2018)
Consortium Specific group Semi-centrali- Controllable Strong Fast Small Simple HyperChain
blockchain (Pri- Authorized zation anonymity HyperLedger
vate blockchain) access
(Li 2020; Wei
2018)
Public blockchain abnormal behavior awareness et al. 2020), selfish mining, 51% attacks, etc. This section
Public blockchain technology can be divided into three mainly introduces the attack procession overview and
dimensions to aware abnormal behaviors. The first awareness methods of three classic blockchain network
dimension is to aware of the risk of public blockchain’s attack behaviors: eclipse attack (Radix 2018), selfish min-
network behaviors, i.e., focusing on various abnormal ing (Frankenfield 2019b), and 51% attack (Frankenfield
behaviors at the network level of blockchain which not 2019a). Table 2 compares the existing work on public
has a close connection with the laws and regulations of blockchain network behavior risk awareness. The follow-
the physical space. The second dimension is to aware of ing describes the work in the table in detail and summa-
the risk of the subject behavior in the public blockchain, rizes the procession of each attack.
i.e., focusing on the abnormal behavior of subjects on the
blockchain. The third dimension is to aware of the risk Eclipse attack awareness
of the service behavior of the public blockchain, i.e., not Eclipse attack is a common method for distributed net-
paying too much attention to the technical mechanism work attacks. Attackers use this method to try to isolate
on the blockchain, but on the premise of the correct use and attack specific users instead of launching attacks on
of blockchain technology itself, focusing on the behavior the entire network (such as Sybil attacks (Douceur 2002),
risks which touching the relevant laws and regulations etc.) (Radix 2018). The process of the eclipse attack was
of the physical space. The following describes behavior proposed by Heilman et al. (2015) in 2015. As each node
awareness methods in detail and separately describes in the Bitcoin blockchain network can only own 8 outgo-
its common limitations, main ideas and concepts for ing connections and 117 incoming connections, when a
addressing them or the future directions from these three node restarts, it will re-configure the in and out connec-
dimensions in detail. tion, and select the address from the tried table to con-
nect. Because the network layers of various blockchains
Public blockchain network behavior risk awareness are similar, not only can Bitcoin suffer from eclipse
Blockchain technology is based on the P2P network. attacks, other blockchains may also suffer from. Without
According to the hotspots of security issues in the mastering a large number of zombie nodes, Marcus et al.
blockchain’s network layer, there are mainly eavesdrop- (2018) can also use a small number of resources to launch
ping attacks, eclipse attacks, border gateway protocol the eclipse attack.
(BGP) hijacking attacks, segmentation attacks (Guo
Fig. 1 Article content structure

Table 2 Public blockchain network behavior risk awareness work comparison
Network Behavior Awareness Awareness Technical details Awareness Awareness Awareness Advantage Disadvantage Quantitative Data using
behavior consequences difficulty methods accuracy speed availability performance
Eclipse attack Isolate the target Hard Based on game Enhanced search Low – Medium Using fully Need to reconfig- Look up success Self-made data
Yan et al. Cybersecurity
node theory technology based decentralized ure the routing rate: 90–99% set by OMNeT++
on dynamic vot- table andrelated Malicious detec- simulator (Pongor
ing mechanism protocols tion rate: 55–60% 1993) and Over-
(Ismail et al. 2015) (depends on Sim (Baumgart
parameters) et al. 2007)
(2022) 5:5
Based on super- Use random forest Medium Fast High Fast speed and Rely on the label Precision: 71% Access connec-
vised learning classification algo- high robustness accuracy of the Recall: 95% F1: tion packets in
rithm to detect attack data set 0.81% Ethereum net-
traffic packets (Xu work with attacks
et al. 2020) they made by
script
Based on proba- Suspicious block High Slow High Easy to deploy, Too slow Attack detection Bitcoin block
bilistic model timestamp warn- no need to time: 3 h Maliciousheads informa-
ing (Alangot et al. change network detection rate: tion in 2018–2019
2020) configuration 100% Need very
and protocols long time
Based on pattern Gossip protocol High Fast Medium Fast speed, no Detection nodes Attack detection
matching traffic analysis need to change are not easy to time: immediate
(Alangot et al. network con- deploy Malicious detec-
2020) figur- ation and tion rate: 97.58%
protocols
Selfish mining Malicious com- Hard Based on game Block transac- High Fast Low Does not affect Loss of a certain Success attack Bitcoin network
petition for block theory tion additional the growth transaction fee, needs to reach
rewards expected con- and confirma- need to change 50% hash rate
firmation height tion rate of the the block struc-
(Saad et al. 2019) blockchain itself ture
Based on proba- Fork height simu- – – – Analyze the Can only be Success attack Bitcoin network
bilistic model lation statistics fork probability tested in a small- needs to reach with simulation
(Chicarino et al. caused by mul- scale simulation 30% hash rate attacks by NS3
2020) tiple attackers’ network (Gervais et al.
hash rates in 2016)
a simulated
environment
51% Attack Double spend or Easy – Monitor large High Fast High Fast speed and – – –
malicious compe- transa- ctions and high robustness
tition the time of block
production in the
mining pool
Page 4 of 27
Eclipse attack is difficult to aware on the blockchain Eclipse attacks are the pre-stage of selfish mining and
network layer, but there is still a small amount of related double-spending attacks. Perceiving the existence of
work. In Ismail et al. (2015) proposed a method to deal eclipse attacks plays an important role in preventing
with the eclipse attack in complex scenarios. This detec- eclipse attacks and subsequent attacks.
tion method can be applied to various P2P networks, so
as blockchain. They use a dynamic voting-based mecha- Selfish mining awareness
nism to enhance the search technology to detect attacks, Selfish mining is an attack that exploits the consensus
i.e. it detects whether peer B is attacked, so peer A is used defect on the blockchain, which can give the attacker
to select a group of nodes that may be closest to B, and opportunities to compete for more benefits for himself
they are required to return contact information or for- in the case of losing the benefits of others (Frankenfield
ward A’s message until B parse it or discarded after the 2019b). The process is: the attacker does not announce
timeout. This method allows fully decentralized use, but the block immediately after finding it, but continues to
because the protocol mechanism is changed, the routing mine more blocks. According to the situation of the pub-
table and related protocols need to be reconfigured, so lic blockchain, the block is announced to the network
the availability is moderate and the malicious detection strategically and selectively to win in the competition of
rate is a bit low. Without changing the protocol mecha- other miners.
nism, Xu et al. (2020) proposed a random forest classi- Eyal and Sirer (2014) made a systematic analysis on the
fication algorithm in 2019 to detect eclipse attacks on attack strategy of selfish mining in 2014. They divided the
Ethereum through the collection of normal data packets blockchain into “public chain” and “private chain” dur-
and attack data packets. By analysis, they found that the ing mining. Attackers will keep the blocks they mined on
attack packet contains tags such as packet size, access the “private chain”, and the blocks mined by the honest
frequency, and access time which are helpful in detect- will be directly announced to the “public chain”. Since
ing eclipse attacks. After training on the data packets col- the “public chain” is public, after the honest miners
lected from the blockchain network, the detection model announce the block, the attacker can immediately update
proposed by Xu et al. can detect the eclipse attack in a his “private chain” and continue to mine on his “private
higher probability with 71% precision and 95% recall. chain” until the attacker’s “private chain” is as long as
Since the use of supervised learning, its accuracy the “public chain”. Then the attacker chooses to publish
depends on the tags’ accuracy of the attack data set, which the “private chain” and starts to compete with the hon-
has certain limitations when the data set is not available. est miners for the main chain. Once the “private chain”
To reduce the degree of data sets dependence, Alangot announced by the attacker becomes the main chain, the
et al. (2020) proposed two different efficient methods purpose of invalidating the honest miners’ blocks can be
in 2020 to detect whether the Bitcoin client was eclipse achieved. They increase their own profits at the cost of
attacked. The first method is based on the suspicious wasting the computing power of honest miners. When
block timestamp. If the time between the current block there is half of honest miners mining after the attacker’s
and the previous block is too long, it means that the net- block, the attacker’s computing power must reach 25% to
work has been partitioned. The malicious detection rate make a profit. When there are no honest miners mining
can reach 100%, but the awareness speed of this method after the attacker’s block, the attacker’s computing power
is slow with 3 h. The second method is to use the natural must greater than 1/3 can make a profit (Han et al. 2018).
connection between the client and the Internet to “gossip” To aware of the existence of selfish mining attacks,
outward the view of the client itself. It can detect whether Saad et al. (2019) proposed an awareness method in 2019,
the client is attacked through the analysis of the network adding the expected confirmation height to each trans-
traffic, and the awareness efficiency is high as it can detect action of the block. When the average expected confir-
the eclipse attack immediately and reach 97.58% mali- mation height is low in the block, it will be considered
cious detection rate. Both methods do not need to change as a selfish miner. Because selfish miners will announce
the network configuration and related protocols, but due empty blocks for competition, although they will lose a
to the second method of detection nodes are not easy to part of the transaction fee, they can gain a speed advan-
implement, so the method availability is moderate. tage in mining. Therefore, when empty blocks appear,
Now much work has focused on designing new proto- the expected confirmation height of the transaction will
cols to counter eclipse attacks and perceiving the exist- be lower, and it can be detected at this time and the sys-
ence of eclipse attacks is also important. In the future, tem will deny the blocks access to the chain. When using
researchers may pay attention to network traffic level, this method, attackers need to reach the 50% hash rate to
extracting traffic feature of eclipse attacks to directly per- make it successful. But this awareness method needs to
ceive the existence of attacks in blockchain nodes. change the block structure. Without changing the block
structure, Chicarino et al. (2020) proposed a blockchain length of the original main chain, thus the private chain
network selfish mining awareness method for the proof- combined with the original main chain becomes the
of-work (PoW) consensus mechanism blockchain in new main chain. Eventually, the block with transactions
2020, simulating the blockchain through the NS3 simula- between the attacker and the honest one becomes a soft
tor to detect if the fork height of the block deviates from fork and is discarded, and will not be accepted by the
the standard value. Then it determines whether a selfish entire network. The attacker achieves double-spending.
mining attack has occurred or not in the current net- Using behavior awareness technology to detect 51%
work. When using this method, attackers need to reach attacks has less work. The reason is that it is difficult for
the 30% hash rate to make it successful. malicious miners to reach 51% of the computing power
There is not a lot of work on perceiving selfish min- even use collusion attack before the mining pool appears.
ing. Most of the work is aimed at selfish mining defen- After the mining pool appears, if the mining pools whose
sive schemes, such as directly changing the consensus computing power is on the top of a collusion attack, their
mechanism of the blockchain. Shultz and Bayer (2015) computing power will reach 51%. Due to the assumption
proposed a method in 2015 to let honest nodes attach that an attacker is a rational person, the purpose of the
some signatures to prove that the block is accepted by attacker is to make a profit. If a person with 51% of the
the network and that there is no competing block in the computing power performs a double-spending attack, it
network. Zhang and Preneel (2017) proposed to change is equivalent to attack the blockchain trust system so that
the longest chain principle in 2017. They introduced the the corresponding currency is no longer valuable, so it is
concept of blockchain weight and proposed a new fork- better to use the advantage of computing power to mine
resolution principle (FRP), which is not based on the for profits.
longest chain principle to choose the forks but based on Moreover, in Satoshi Nakamoto’s article (Nakamoto
the block weight. and Satoshi 2008), it is also clear that if the attacker can
The selfish mining attack requires the attacker to reach catch up with the 6 block gap with the honest, it will take
certain computing power. In the public chain ecology, at least 1 h, so large transactions and block producing
mining pools have chance to own a large amount of com- time from the mining pool can be considered to super-
puting power. If attackers do not join the mining pool, vise, and related work can be studied in the future.
they need to control more nodes to increase their com-
puting power, such as implanting mining programs on Public blockchain subject behavior risk awareness
the node devices. So in our opinion, we can start with According to the different subjects on the blockchain,
the awareness of nodes and detect the pre-attack stage we subdivide the subject behavior risk awareness on
to prevent the implantation of mining programs, thereby the public blockchain into transaction behavior aware-
detecting selfish mining behavior. ness, account behavior awareness, and contract behav-
ior awareness. Table 3 compares the existing work on
51% Attack awareness public blockchain subjects’ behavior risk awareness. We
51% attack, as the name suggests, means that the attacker describe the work in detail and summarize the awareness
has 51% of the computing power in the blockchain net- process of each kind of subject’s behavior.
work and can mine new blocks faster than other par- The three different subject behavior awareness tech-
ticipants to control the generation of new blocks or nologies can be roughly divided into two categories: one
recalculate confirmed blocks, in order to tamper with the is based on machine learning, and the other is based on
transaction data on the block and destroy the immutabil- rules. Machine learning based methods can be divided
ity of the blockchain. The general purpose of the attacker into supervised and unsupervised. Early research on
is to achieve double spending (Frankenfield 2019a). subject behavior awareness technology on the chain
Attackers use the cryptocurrency in his hand to trade mostly used unsupervised machine learning methods.
with others. After they confirm that the transaction is There was less prior knowledge of on-chain behavior
on the chain, the honest one will think that the transac- and fewer abnormal clues available at the time, there-
tion has been completed. At this time, the attacker has fore, unsupervised learning which does not depends on
received money or materials. However, the attacker uses labels was used. However, the accuracy is not satisfying
the advantage of computing power to start the fork from and it is easy to overlook some potential abnormal behav-
the block before the payment transaction, and transfers iors. With the deepening of research work, the increase
the cryptocurrency back to his address on the new block. of abnormal cues and the deepening of on-chain behav-
The fork will compete with the entire network. Since the ior cognition, the subsequent works use of more accurate
attacker has 51% of the computing power, the length of supervised learning methods and rule-based methods to
the private chain mined by the attacker will exceed the perceive abnormal behavior on the chain. The supervised
(2022) 5:5
Table 3 Public blockchain subject behavior risk awareness work comparison
Subject Awareness Awareness Awareness Technical Applicable Awareness Awareness Advantage Disadvantage Precision Recall F1 Data using
behavior purpose difficulty methods details scene accuracy speed
Transaction Fraud behav- Easy Based on Multivari- More types Low Fast High rubust- Unsatisfactory Efficient cluster number: 8 malicious detec- Bitcoin partial
behavior ior detection unsupervised ate cluster needs for ness precision tion rate: 16.67% transaction
learning analysis based abnormal dataset
on trimmed behavior clas-
k-means sification
algorithm
(Monamo
et al. 2016)
Based on Cluster Less types High Fast High recogni- Fewer types 90.00% 99.70% 94.00%
unsupervised analysis based needs for tion accuracy of abnormal
learning on k-means abnormal for a small behavior can be
algorithm behavior clas- number of detected
after finding sification abnormal
outliers types
(Sayadi et al.
2019)
Based on rule Anomaly Targeted Medium Medium Strong perti- Weak robustness Airdrop Airdrop Airdrop
inference behavior awareness nence candy: candy: candy:
recognition needs for 43.62% 85.71% 57.79%
based on specific greedy injec- greedy injec- greedy injec-
transaction abnormal tion: 54.32% tion: 81.35% tion: 65.11%
motivation
(Shen et al.
2021)
Page 7 of 27
Table 3 (continued)
Account Suspicious Medium Based on Cluster More types Low Fast High rubust- Unsatisfactory Efficient cluster number: 7 Significant attack Bitcoin partial
behavior account unsupervised analysis based needs for ness precision and events: 2 transaction
behavior learning on account abnormal recall rate dataset
detection behavior behavior clas-
(2022) 5:5
graph (Pham sification
and Lee 2016)
Based on Account Fine-grained Medium Medium Highly Unsatisfactory Average modularity: 0.801 Ethereum on-
unsupervised behavior requirements fine-graied speed and chain data
learning analysis based for account awareness accuracy
on graph min- behavior
ing method description
combin-
ing event
information
and account
high-level
interaction
information
(Ao et al.
2021)
Node behav- Hard Based on Blockchain Less types Medium Fast High recogni- Low fine-grained Efficient cluster number: 2 Precision: 74.26% Transaction
ior pattern unsupervised behavior needs for tion accuracy awareness data of a real
classification learning clustering abnormal for a small blockchain
algorithm BPC behavior clas- number of application on
analysis and sification abnormal stock trading
verification types
(Huang et al.
2017)
Fraud Easy Based on Using Needs for High Fast High accuracy Low fine- grained Random Random Random For- Ethereum
account supervised XGBoost fraud predic- awareness forest: 85.71% forest: 23.67% est: 37.09% On-chain Data
detection learning to identify tion on the XGBoost: XGBoost: XGBoost: with phishing
large scale account 78.03% 31.32% 44.70% labels
fraudulent
accounts and
features sensi-
tivity analysis
(Ostapowicz
and Żbikowski
2020)
Identity infer- Medium Based on Identity Deanonymi- High Fast High recogni- Label depend- 99.17% 99.83% 99.50% Ethereum
ence unsupervised analysis based zation for tion accuracy ency phishing trans-
learning on GNN (Shen abnormal with effec- action network
et al. 2021) behavior tively large-
scale graphed
computation
avoidance
Page 8 of 27
(2022) 5:5
Contract Vulnerability Easy Based on Provide a All block- High Fast Can be Limited to Successful exploit contract rate: 88.41% Ethereum on-
behavior detection automated universal chains that implement on contract internal chain contracts
exploit definition of support smart a large scale behavior
contract vul- contracts with a high
nerability and degree of
exploitation automation
tools (Krupp
and Rossow
2018)
Honeypot Medium Based on Propose All block- High Fast High accuracy Limited to 94.38% – –
detection symbol honeypot chains that and fast contract internal
execution contract support smart perception behavior and
classification contracts speed requires open
and construct source smart
heuristic contract
honeypot
contract
search tool
(Torres et al.
2019)
Attack detec- Medium Based on Use neural Needs for High Fast Can be Attacks limited to 95.07% 94.73% 94.83% DEFIER
tion and supervised network to attack stages implement on the use of smart extended DApp
classification learning train the inter- identification a large scale contract transac- event dataset
action graphs with strong tions
between robustness
contracts to
automatically
discover the
stage of new
attacks (Su
et al. 2021)
Page 9 of 27
method is more dependent on labels, and it is not easy in the original transaction information and then use the
to obtain high-level information of behavior features. The clustering method to find abnormal behaviors.
rule-based awareness method requires a certain degree of The common limitation of transaction behavior aware-
cognition of on-chain behaviors, and the design of rules ness methods is it that multi-classification’s accuracy
generally only aims at the awareness of specific behav- is poor and inadequate understanding of transaction
iors, and the robustness needs to be improved. behavior combined with semantics or other features.
So researchers may focus on the blockchain transac-
Transaction behavior awareness tion modeling combining other features, such as time
Blockchain transactions are packaged on the chain by sequence features, semantics features and etc.
miners after broadcasting in the entire network. Due to
the transparency of the blockchain, abnormal behavior Account behavior awareness
can be aware through the analysis of transaction records. Although the blockchain has a detailed record of the
Monamo et al. (2016) used the trimmed k-means method transaction content and the addresses of both partici-
to perform cluster analysis and abnormal transaction pants to the transaction, the account entities still have a
awareness in multivariate settings in 2016. This method certain degree of anonymity, so the awareness of account
can detect more types of abnormal transactions. As using behavior is also worth exploring. Pham and Lee (2016)
the unsupervised learning method, it does not depend on proposed a unique address anomaly awareness method
the accuracy of the data set and the method is robust, but for the Bitcoin network in 2017. They use the Bitcoin
the accuracy is not ideal with the malicious detection rate transaction network to form a graph with transaction
only 16.67%. addresses as nodes and using the k-means clustering
To improve the accuracy, Sayadi et al. (2019) proposed algorithm, Mahalanobis distance, and the unsupervised
a new model for abnormal transaction detection in 2019. support vector machine to aware of abnormal address
Firstly, they use the One-Class support vector machine behaviors. This method can find many types of suspicious
(One-Class support vector machine, One-Class SVM) behaviors, but the accuracy of the three methods needs
to find transactions outliers. Then they use the k-means to be improved.
algorithm to classify the outliers. In the case of fewer To improve the classification accuracy, Huang et al.
abnormal behaviors’ types, it can achieve a higher accu- (2017) first proposed an automatic classification method
racy rate reached 90% but there are fewer abnormal of blockchain account behavior in the same year. By
behaviors’ types that can be accurately detected, which is extracting the node behavior sequence and they proposed
not suitable for blockchain with complex behavior types. a clustering algorithm called BPC based on the k-means
Since transactions have intention, Shen et al. (2021) algorithm. Variety types of behaviors on the block-
adopted a rule inference-based fusion method in 2021. chain can be classified with good classification accuracy
They use transaction motivation as the starting point, (reached 74.26%). Unfortunately, this method cannot be
and design rules for judging two types of abnormal trans- implemented on a large-scale blockchain. To increase
action behaviors: airdrop candy and greedy fund injec- the implementation scale, Ostapowicz and Żbikowski
tion. They extract the abnormal transaction pattern graph (2020) conducted a large-scale account detection method
and use the sub-graph matching technology to design the in 2020, using supervised learning techniques to detect
awareness algorithm. They also verify the effectiveness fraudulent accounts on Ethereum, and compared the
of the method through real cases and the recall reached ability of random forests, support vector machines, and
85.71% and 81.35% of airdrop candy and greedy fund XGBoost classifiers on a data set with more than 300,000
injection respectively. But this method aware of specific accounts and give the sensitivity analysis of each feature.
abnormal behaviors on the chain, so when new abnormal Though the precision has increased, the recall rate is low.
behaviors appear, the robustness of this method is weak. The account behavior awareness methods generally
We summarize the general process of transaction rely on extracting the statistical features of the account
behavior awareness as follows: Firstly, obtain a large address (or transaction address) and then applying arti-
amount of transaction information from the blockchain ficial intelligence technologies such as machine learning
(regardless of whether the blockchain supports smart or deep learning to classify or identify them. But Ao et al.
contracts). This information acquisition method is appli- (2021) first combined the account high-level interaction
cable to various blockchains; After obtaining the transac- information and time information, from the perspective
tion information, there are two types of processes. One of graph mining, analyzing the behavior of Ethereum
is to use the inter-graph learning technology for model accounts through Temporal High-order Proximity Aware
training and prediction after the transaction graph is Community Detection (THCD) and verifying the effec-
constructed. The other one is to directly use the features tiveness on the four real data sets. Moreover, it can be
extended to large-scale transaction data sets with better method can efficiently and accurately identify contracts
perceptual fine-grained. with honeypot behavior.
Identity inference aims to make a preliminary inference In terms of inter-contract behavior, Su et al. (2021)
about account identity. Shen et al. (2021) present a novel designed the automatic large-scale attack investiga-
approach to analyze user’s behavior from the perspective tion tool DEFIER for Ethereum in 2021. They use smart
of the transaction sub-graph, which naturally transforms contracts with determined Ethereum attack events to
the identity inference task into a graph classification pat- form a seed attack set, and then use the Jaccard similar-
tern and effectively avoids computation in large-scale ity between contracts to find smart contracts with new
graph. They reached 99.17% precision, 99.83% recall and attack events, to form the largest attack event data set for
99.50% F1-score. It performs pretty well. But this method smart contracts on Ethereum. Then they use Long Short-
depends on the labels of data sets. Term Memory (LSTM) neural network to train the trans-
We summarize the general process of account behavior action correlation vectors on the formed data set. After
awareness as follows: The general account behavior pat- that, they use Multi-Layer Perceptron (MLP) classifier to
tern is more suitable for blockchains that support smart classify attack stages. In this way, new attacks using smart
contracts, that is, blockchain 2.0, such as Ethereum and contracts in Ethereum can be automatically discovered,
other blockchains. But it can also be used in blockchain and the attack stage can be determined. After deploy-
1.0, such as the Bitcoin network. Generally, clustering DEFIER in Ethereum, 476,342 malicious transactions
ing data mining techniques are used to classify account were discovered, including 75 0-day vulnerabilities. In
behaviors, and then abnormal behaviors can be manually addition, they reached 95.07% precision, 94.73% recall
detected from the classified categories. In the blockchain and 94.83% F1-score.
2.0 network, various security reports can be used as the The awareness of smart contracts is the most change-
basis, and we can use machine learning technology for able. It can perceive in the aspect of the vulnerability
classification and identification through statistical fea- level, functional threat level, and attack process level.
tures and association methods between accounts. Each level of awareness can use different processes. For
The balance of precision and recall need to be improved example, vulnerability level awareness can establish tools
and the new artificial intelligence methods which used in such as fuzzing, symbolic execution, and formal verifica-
social interaction network can migrate into the on-chain tion. Functional threat level awareness can perceive hon-
account behavior field. eypot contracts and study active traceability techniques,
etc. Attack process level awareness is based on the estab-
Contract behavior awareness lishment of the database, then it carries out data cleaning
The development of smart contracts is fast and change- and analysis, and finally obtains an accurate attack stage
able. When met certain conditions, the corresponding database with awareness model.
transaction behaviors will be triggered. A smart contract Although the discovery of abnormal behavior of the
can be understood as an automated trusted third party. internal code of the contract is very important, the inter-
The behaviors within and between contracts have very action between the contracts also cannot be ignored. At
important influences on on-chain behaviors (Zhao et al. present, there are few works on the interaction between
2020). Since there is a lot of work on smart contracts, the contracts. How to reasonably model the interaction
following summarizes the work on the top security con- between contracts and adopt a reasonable segmentation
ference papers in recent years. method to capture high-level behavior information are
In terms of the internal behavior of the contract, Krupp points that can be studied in the future.
and Rossow (2018) built a smart contract vulnerability
automatic identification and exploit tool TEETHER in Public blockchain service behavior risk awareness
2018. The contract can be exploited when only give the The service behavior risks on the blockchain mainly
binary bytecode. This method achieves good perfor- include illegal money laundering, Ponzi schemes, light-
mance for large-scale implementation on Ethereum and ning loan utilization, darknet illegal transactions, ter-
the successful exploit contracts account for 88.41%. rorist financing, and virus extortion (Yang 2020). This
In terms of functional threats, Torres et al. (2019) sys- section mainly summarizes the work of Ponzi scheme
tematically studied honeypot smart contracts and pro- awareness and illegal money laundering behavior aware-
posed a honeypot technology taxonomy in 2019, and ness as these two behaviors have more awareness work
constructed a heuristic method that uses symbolic execu- on the public blockchain. Table 4 compares the existing
tion to find honeypot contracts–HONEYBADGER. After work on public blockchain service behavior risk aware-
analyzing more than 2 million smart contracts, their ness. We describe the work in detail and summarize the
awareness process of the above two service behavior The awareness methods of the on-chain Ponzi scheme
risks. currently relies on the existing abnormal clues, and in
The service behavior awareness technologies mainly this way the awareness of the Ponzi scheme contract with
based on machine learning as they rely on the abnormal unknown behavior patterns is difficult. Research may
clues. And the technologies limitation is the same as the combine behavior patterns defined in the financial field,
subject behavior awareness. abstract its network motifs, and cruise on-chain con-
tracts through pattern recognition technology.
Ponzi scheme awareness
Ponzi scheme is a form of financial fraud, which deceives Money laundering awareness
investors and uses the funds of later investors to pay Illegal money laundering refers to the illegal process of
profits to previous investors (Wikipedia 2021b). Because concealing the source of illegally obtained funds through
blockchain users do not understand its underlying tech- a series of complex bank transfers or commercial trans-
nology, public blockchains have strong anonymity, lack actions. The overall process is to return “clean” money
national supervision and smart contract source codes to the money launderer in an obscure and indirect way
may be hidden, etc., there are many Ponzi schemes on (Wikipedia 2021a). The anonymity of cryptocurrency, the
public blockchains, which bring blockchain investors convenience of cross-border transactions, and its vulner-
have caused large economic losses. According to statis- ability to network attacks all provide a suitable soil for
tics, an average of 7 million U.S. dollars’ worth of Bit- money laundering.
coin was obtained by fraudsters within a year (Vasek and The public blockchain digital currency led by Bit-
Moore 2015). coin has become a common currency for transactions
Chen et al. (2018) proposed a method for Ponzi scam between certain criminals. In fact, cryptocurrency only
contract identification using XGBoost in 2018. This provides pseudo-anonymity, but it can achieve true
method combined with security reports, collecting 1382 anonymity through certain methods. Cryptocurrency
verified smart contracts from the Ethereum browser. has no restrictions in cross-border transactions, and it
Comparing the transaction flow graph with the non- is suitable for use as an intermediate currency to trans-
Ponzi flow graph, and constructing seven statistical fea- fer between countries and become a medium for money
tures to use XGBoost for classification. They achieved a laundering. At the same time, cryptocurrency is traded
precision rate of 94% and a recall rate of 81%, which per- on the network instead of offline. Due to the instability
forms efficiently in blockchains with sufficient transac- and vulnerability of the network, a large amount of digi-
tion scale. tal currency can be “evaporated” in a short period. The
Bartolettiet al. (2020) used on-chain transaction so-called “evaporation” means that money launderers can
records, smart contract source code, and smart contract claim that the currency has been “evaporated” by cyber-
chain information to analyze the behavioral characteris- space attacks, but in fact, it may have been withdrawn
tics and multi-angle impact of the Ponzi scheme. Finally, offline (such as embezzlement of public funds, etc.),
they find extra 184 ponzi schemes on Ethereum. which can wash away their own suspicions to a certain
In order to further improve the accuracy rate, Zhang extent. A explainable reason was found for the source of
and Lou (2021) proposed a Ponzi scheme contract detec- the money, and making preparations for the escape after
tion method based on the deep neural network in 2021. the crime. The above three points are the motivations
This method extracts the operation code feature of the for money laundering groups to use cryptocurrency for
smart contract and account feature to form a data set. money laundering.
After deep neural network training, it achieved the 99.6% The existing common money laundering methods are
precision rate and 96.3% recall rate. shown in Table 5, which can be roughly divided into
This article summarizes the main process of the exist- the following two types: The first one is to use the digi-
ing Ponzi scheme awareness methods as follows: Firstly, tal currency mixing strategy with high concealment to
finding the Ponzi scheme incidents in various secu- achieve anonymity. Bitcoin Fog, DarkLaunder (BitLaun-
rity reports and news to extract the malicious contract der, CoinMixer are the same type), and Helix are com-
accounts, transaction associations, and other informa- monly used for mixing. Among them, Bitcoin Fog is
tion in incidents, constructing the Ponzi scheme inci- used with the “send shared” function of Blockchain.info
dents data sets. Secondly, constructing a transaction flow (blockchain browser’s API), to anonymize transactions
graph for comparison to complete the feature extraction. without linkability and traceability. DarkLaunder (Bit-
Thirdly, using machine learning or deep learning meth- Launder, CoinMixer) is a weak currency mixing strategy.
ods to perform model tuning and training. Finally, using After using it, certain transactions can still have linkabil-
the trained model to detect new Ponzi schemes. ity, but the money laundering speed is fast, which only
(2022) 5:5
Table 4 Public blockchain service behavior risk awareness work comparison
Service Awareness Awareness Technical Applicable Awareness Awareness Advantage Disadvantage Precision Recall F1 Data using
behavior difficulty methods details scene accuracy speed
Ponzi schemes Easy Based on Using XGBoost Blockchain High Fast High precision Unsatisfactory 94.00% 81.00% 86.00% Ethereum trans-
supervised to classify the with suffi- recall rate action data
learning Ethereum cient transac-
transaction tion scale
flow graphs
(Chen et al.
2018)
Based on Fusion of trans- Blockchain – – Comprehen- Multi-dimen- Find extra 184 ponzi schemes on
mixed action records, with suffi- sive analysis sional data is Ethereum
information contract source cient transac- dimensions weakly cor-
model con- code and on tion volume related
struction chain informa- and support
tion to build a for smart
Ponzi scheme contracts
behavior model
(Bartolettiet al.
2020)
Based on Smart contract All block- High Fast High precision High data set 99.60% 96.30% 97.92% Ethereum
unsuper- operation chains that and recall rates dependence transaction data
vised learn- code and support combined with
ing account feature smart con- contract code
extraction tracts data
based on deep
neural network
(Zhang and
Lou 2021)
Page 13 of 27
(2022) 5:5
Service Awareness Awareness Technical Applicable Awareness Awareness Advantage Disadvantage Precision Recall F1 Data using
behavior difficulty methods details scene accuracy speed
Money laun- Easy Based on Compare the Blockchain High Medium High precision Unable to 92.74% 97.37% 95.00% Bitcoin partial
dering unsuper- transaction with suffi- identify block- transaction
vised learn- flow graph cient transac- chain applica- datasets
ing between tion scale tion with
the normal insufficient
transactions transaction
and money scale
laundering
transactions
(Hu et al. 2019)
Based on Use graph Popular High Medium High robust- Unsatisfactory 97.10% 67.50% 79.00%
supervised neural network crypto- ness and accuracy
learning to identify and currency suitable for all
visualize money platform kinds of popu-
laundering lar crypto-cur-
transaction rency platform
sequence dia-
grams (Weber
et al. 2019)
Based on Use less data to Blockchain Medium Medium Independent Robustness With the number of labeled
active learn- achieve recog- with limited of data set size needs to be samples, the best F1: 83.00%
ing nition (Lorenz data and verified
et al. 2020) manpower
Page 14 of 27
Table 5 Blockchain money laundering strategies comparison

Type Strategy characteristic
Application Application characteristic
Mixing strategy Bitcoin fog Need to cooperate with related functions to achieve complete untraceability
DarkLaunder (BitLaunder, CoinMixer) The money laundering speed is fast but the transaction can still be linked
Helix It can only be accessed by Tor. Multiple addresses are in the same transaction
so the anonymity is weak
Cross-border transfer Use crypto-currency as an intermediary to complete asset transfer
takes 1–6 h (de and Hernandez-Castro 2017). Helix can only 5% of tags to achieve better money laundering iden-
only be accessed using Tor, but in this service, the wal- tification results. This is the optimized configuration for
let addresses and withdrawal addresses of multiple users limited manpower and data scenarios.
exist in the same transaction, so it is easy to identify these The awareness of money laundering behavior is still
users and does not provide sufficient anonymity. developing. We summarize the general process of
The second method is to use the efficient and conveni- money laundering behavior awareness as follows: Due
ent cross-border transfer function of cryptocurrency. to the lack of anti-money laundering data sets, the exist-
The currency of country A can be exchanged for digital ing work generally conducts the correlation analysis
currency through the exchange of country A, and then between addresses and transactions to form transaction
send the digital currency to country B. Now the digital flow graphs; then use the classification method between
currency can be exchanged to the currency of country B graphs or the graph-based deep learning method to clas-
through the exchange of country B, completing the asset sify or cluster the graphs to obtain the feature difference
transfer. However, lacking supervision, profit-driven between the normal transaction and the money launder-
exchanges can only rely on consciousness to prohibit ing transaction flow graphs.
money laundering, which is obviously unrealistic. However, there is little work on money laundering in
Money laundering using mixed currency services is cross-border transfers, and it can be prevented from the
not as safe and anonymous as these services claimed. policy supervision of exchanges.
Some very well-known currency mixing services still
have major security flaws and privacy restrictions (de and Consortium blockchain abnormal behavior
Hernandez-Castro 2017). Hu et al. (2019) collected data awareness
for 3 years from 2016 to 2019. By creating transaction The consortium blockchain is a cluster composed of
flow graphs for normal transactions and money launder- multiple private chains. Generally, multiple industry
ing transactions, comparing the differences between the units form the alliance (Community 2020; Hope-Baillie
graphs, and then using the node2vec model framework and Thomas 2016; Skuchain and Forum 2019), and only
to classify graphs, they achieve better results with high authorized nodes can access in it. The consortium block-
F1-score. But its accuracy needs to be improved on the chain will be an important type of chain in the future.
blockchain with insufficient transaction scale. For its healthy development, the awareness of abnormal
In order to enhance the robustness of the method, behavior of the consortium blockchain needs more atten-
Weber et al. (2019) adopted a fusion method based on tion. The awareness methods on the public blockchain
probability statistics in 2019, using Elliptic’s data set to (generally, the awareness methods based on machine
construct a sequence diagram containing 200K trans- learning, graph neural network and association relation-
action nodes, 234K transaction edges, and 166 node ship can be used) can still be used on the consortium
features and the label of whether the money launder- blockchain. Since the consortium blockchain is highly
ing transaction is or not. Then using the deep learning controllable and designable, it has some unique aware-
method of graph neural network (GCN) to identify the ness methods. Consortium blockchain can conduct risk
money laundering behavior in the graph, and finally visu- awareness from the network level, the subject behavior
alizing the model. This money laundering recognition level, and the service behavior level.
method has achieved good results for various popular In this chapter, we adopt the elaboration idea from
cryptocurrency platforms but it is highly dependent on point to plane, i.e., from the abnormal behavior per-
manpower and data sets. ception method for specific nodes to the method for
In order to reduce dependence on data sets, Lorenz the whole chain. We focus on the awareness of identity
et al. (2020) used active learning methods in 2020, using tracking, attacks on PBFT leaders, auditing under privacy
protection, collusion attacks and “Govern blockchains the TTP issues certificates to the users so that it improves
by blockchains” (Chen 2020), which are the researchers the credibility of Bitcoin addresses. This centralized
mostly pay attention to because they are different abnor- method is convenient for the TTP to trace user identi-
mal behaviors from the public chain. Although there are ties and because the script is used the same as Bitcoin,
few related works, these works can be used as reserve the efficiency is also as good as Bitcoin scripts. Using this
methods. certificate binding method can trace the identity of the
The following describes the work in detail and sepa- consortium blockchain. But this centralized approach is
rately describes its common limitations, the main prone to abuse of the supervision power. El Defrawy and
ideas and concepts for addressing them or the future Lampkins (2014) proposed a multi-server collaborative
directions. storage and supervision scheme based on multi-party
Table 6 compares the existing work on the risk aware- secure computing. The bottom layer uses secret shar-
ness of abnormal behaviors of the consortium blockchain ing technology. When identity tracing is required, more
under the premise of highly controllable and designable. than the threshold number of servers must participate
in order to reveal user identity, which effectively pre-
Identity tracing vents the abuse of supervisory power in the consortium
Due to the autonomy of the consortium blockchain, it blockchain.
can learn from the work of identity tracing on some pub- However, in previous schemes, users need to register
lic blockchains (Li and Xu 2020; Lu and Xu 2017). For again to change its public keys for trading. It increase the
the identity tracing mechanism of the consortium block- burden of supervision center (no matter it is centralized
chains, the following related work can be referred to as or not). Li et al. proposed a tracing scheme which sep-
reserve algorithms. erate the user’s public key and the certificate for tracing,
exploiting the transparency and integrity of the block-
Group and ring signature chain to ensure traceability. Unfortunately, it still abused
Generally, linkable, traceable group, and ring signatures of supervisory power as the single supervision center.
are used for identity tracing with the premise of privacy Most identity tracing methods are to bind the user’s
protection, which can realize user identity tracing and public key to the certificate. The supervision center uses
transaction auditing under certain conditions (Zheng the certificate to trace the public key correlation with the
et al. 2018; Fujisaki and Suzuki 2007; Liu et al. 2004). The user’s identity. The common limitation of public key and
signature can be verified, but the identity of the signer is certificate binding methods is it that the heavy burden of
kept secret. The administrator can open the signer’s iden- supervision center as the updates and changes of users’
tity under the set conditions, i.e., obtaining the signer’s public keys and the abuse of supervisory power with the
public key, so as to realize the tracing and complete the single supervision center (common method using in the
identity association (Li et al. 2021). However, its applica- real scene). The main concept to address the limitation is
tion scenarios are limited, which is applicable to consor- to change the binding way and distribute the supervision
tium blockchains with a small number of users. Though centers by cryptographic primitives, respectively. How-
in Zheng’s work (Zheng et al. 2018), the operations of ever, there is still lack of the scheme that aim to address
multiplication and exponentiation reached 20 and 27 in both of light burden and the distributed supervision
signature generation phase respectively, it still take a long centers. Moreover, although some of the existing tech-
preparation time before signing. nologies can complete identity tracing and content audit-
The common limitation of group and ring signature ing, their robustness is weak and cannot be universally
methods is it that the speed in preparation phase, gen- applied to various blockchains.
eration phase and verification phase is not that satisfying
using in the large scale consortium blockchain. Now the Biometrics information mergence
researchers aim to propose more efficient group and ring Alharthi et al. (2021) tried to balance the burden and pri-
signature by using small groups with the balance of secu- vacy so they proposed a biometrics blockchain (BBC) to
rity but there is little breakthrough. So, in the follow-up, track malicious accounts on-chain using biometric infor-
some works proposed schemes for specific ledger iden- mation to lable message senders for privacy and ensure
tity tracing, trying to address the speed issues. the credibility. It is applicable to the internet of vehicles
with consortium blockchain as they tested their scheme
Public key and certificate binding demonstrating that the packet loss rate is less than 5%
Ateniese et al. (2014) proposed a certificate-based bitcoin and the user computational cost is between 0.1 and
authentication system in the public blockchain, in which 0.3 ms.
the user registers with a trusted third party (TTP), and
Table 6 Consortium blockchain abnormal behavior risk awareness work comparison

Awareness purpose Technical methods Technical details Applicable scene Advantage Disadvantage Quantitative Data using
performance
Identity tracing Group signature and The identity of the Consortium block- Satisfy identity ano- Long preparation time Operations of Multipli- –
(2022) 5:5
ring signature signer is confidential chain acquiring nymity and linkability and slow speed before cation: 20 Operations
but verifiable, and anonymity while can signing of Exponentiation: 27
the administrator can tracing identity in the Low computational
open the identity of abnormal situation complexity
the signer (Zheng
et al. 2018; Fujisaki and
Suzuki 2007; Liu et al.
2004)
Public key and certifi- Register the public key Consortium block- Fast and accurate Abuse of supervisory Script efficiency is as –
cate binding with a trusted third chain with single identity tracing power good as Bitcoin
party to increase institution of the
the credibility of the supervision center
address (Ateniese et al.
2014)
Cooperative registra- Consortium block- Can prevent abuse of Low tracking efficiency – –
tion of public keys chain with multi-insti- supervisory power and slower speed
based on multi-party tutions of supervision
secure computing centers
(El Defrawy and Lamp-
kins 2014)
With the change of the Consortium block- Reduce the burden on Abuse of supervisory Efficiency is as good –
user’s public key, only chain with single users and the supervi- power as Groth–Sahai proof
a single registration to institution of the sion center system (Groth and
the supervision center supervision center Sahai 2008)
(Li et al. 2021)
Biometrics blockchain Using biometric Internet of vehicles Use biometric informa- Latency time of chain Packet Loss Rate: Less Self-made chain with
(BBC) information to track with consortium tion to label message updated than 5% Computa- simulation attacks by
malicious accounts blockchain senders for privacy tional Cost: 0.1–0.3 ms OMNeT++ (Pongor
on-chain by BBC and ensure message 1993)
architecture (Alharthi credibility
et al. 2021)
Page 17 of 27
performance
Attack on PBFT leaders Based on reputation Use reputation model Consortium block- Identify malicious The effects in non- Feasibility: Delay time Self-made chain pro-
schemes to evaluate leaders’ chain using PBFT leader leader nodes experimental environ- with in 22.0 s Reliabil- totype
scores and perceive consensus mechanism in time ments need to be ity: Linear
leader nodes (Lei et al. further tested
2018)
Forensic support Use cryptographic Consortium block- Forensic support can Large scale test need – –
(2022) 5:5
based primitives such as chain using BFT con- visualize to be further tested
aggregate signatures sensus mechanism
and commitments
to take BFT forensic
support (Sheng et al.
2021)
Auditing under privacy Zero-knowledge proof Additive homomor- Consortium block- High privacy and audit Limited auditing Computational Cost: Self-made chain pro-
protection and commitment phism commitment to chain with audit con- reliability operations Linear (Validate for totype
hide sensitive data and tent kept confidential 20 nodes in less than
complete the audit 200 ms) Auditing Time
with zero-knowledge with More Nodes:
proof guaranteeing Linear
audit reliability (Narula
et al. 2018)
Collusion attack Based on reputation Use Bayesian inference Internet of vehicles High feasibility in Latency time of chain Feasibility: Less than Users in vehicular and
schemes model to evaluate with consortium consortium ranges updated 1 s Reliability: Expo- blockchain simulation
reputation scores and blockchain nent platform
perceive collusion
attacks (Yang et al.
2018)
Use the reputation E-commerce environ- Sharding improves The effects in non- Feasibility: 20.4 s delay Self-made chain pro-
chain to improve the ment with consortium chain’s throughput experimental environ- time at least Reliability: totype with simulated
performance of the blockchain ments need to be Linear users
transaction chain and further tested
perceive collusion
attacks (Huang et al.
2020)
Use smart contracts E-commerce environ- High feasibility and The robust effect on Feasibility: Less than Partial Ethereum users
to evaluate reputa- ment with consortium reliability other attacks remains 0.8 s Reliability: participant in
tion scores and resist blockchain to be verified Constant
collusion attacks (Zhou
et al. 2021)
Page 18 of 27
(2022) 5:5
performance
“Govern blockchains Double-chain archi- The double-chain Consortium block- High accuracy and Large scale testing is Accuracy: 92.5% Recall: Drebin Dataset (Arp
by blockchains” tecture consists of a detection chain with multi-insti- small scale high detec- inefficient 94.6% F1: 93.5% et al. 2014)
chain and a data public tutions of supervision tion speed
chain. The detec- centers
tion chain deploys
multi-feature models
to detect malicious
behaviors on the data
public chain (Gu et al.
2018)
The double-chain con- Consortium block- Fast transaction speed, Practicability needs to Accuracy: 90.1% Recall: Elliptic Dataset
sists of the transaction chain with multi-insti- high scalability, and be verified 18.5% F1: 30.8%
chain and the custody tutions of supervision strong credibility
chain. The custody centers
chain uses a neural
network to identify
illegal transactions,
and the double-chain
anchors the public
blockchain (Wu et al.
2020a)
Page 19 of 27
Biometrics technology seems satisfying but the biomet- Auditing under privacy protection
rics information collection and the latency time of update In terms of awareness methods for audit under privacy
are still unsatisfactory. protection purposes, we can still use the method of group
The methods for identity tracing are mainly based on and ring signature and in this sub-section, we focus on
the cryptographic primitives. Secure and reliable tracing the application perspective.
in one side, unsatisfying speed in the other side. In our Narula et al. (2018) proposed a technology zkledger in
point of view, researchers may construct identity knowl- 2018, that integrates privacy and auditing. It uses Peder-
edge base and using artificial intelligence methods to son promises to hide sensitive data, and uses the additive
trace the malicious identity. homomorphism promised by Pederson to perform audit
operations on the hidden data. It perceives the correct-
Attack on PBFT leaders ness of functions on the blockchain through a simple
Consensus mechanism in consortium chain mainly uses ciphertext summation method, and at the same time
Practical Byzantine Fault Tolerance(PBFT)-based proto- using zero-knowledge proof to ensure the reliability of
col, which is different from PoW or PoS consensus pro- the audit. In terms of audit integrity, they construct a
tocol used in the public chain. PBFT usually selects the unique accounting method and propose a virtual token
leader nodes that complete consensus in the current called the audit token to make the transaction public and
epoch with assumption that more than 2/3 nodes are verifiable while ensuring the privacy of participants. In
honest. For this reason, the leader node of each epoch terms of system efficiency, zkledger adds commitment
becomes a vulnerable object and therefore needs to be caches to each entity to improve the efficiency of trans-
aware of abnormal behavior aiming at the leaders. The action creation and auditing and uses the map/reduce
related abnormal behavior awareness work is not that parallel computing method to improve the efficiency of
sufficient so this chapter only lists the representative auditing in the case of multiple entities. The computa-
research works. tional cost and auditing time grows linearly as the num-
Lei et al. (2018) proposed a reputation model to evalu- ber of nodes increases.(Validate for 20 nodes in less than
ate leaders’ scores. The lower score nodes given, the 200 ms) At the same time, in order to reduce commu-
lower probability can the nodes be selected as leaders. nication costs, they use the Fiat Shamir non-interactive
All the participants in this consortium chain can con- zero-knowledge proof instead of Schnorr’s interactive
tribute to the reputation model so the scores can reflect zero-knowledge proof. This is a blockchain supervision
the abnormal behavior on the leaders. As the scores are architecture, which can be considered in integrating the
updated in real time, it can identify and dispose mali- authentication and authorization of members on the
cious leader nodes in time with high reliability (Linear). chain, and then upgrade zkledger to a consortium block-
But their scheme were only tested in the experimental chain platform with a wider range of available scenarios.
environment. Sheng et al. (2021) used cryptographic The common limitation of auditing under privacy
primitives such as aggregate signatures and commit- protection is it that the types of auditing operations are
ments to take BFT forensic support. They mathemati- limited (only sum operations in Narula) as the cost of
cally formalize the study of forensic support of BFT multiplication operations with privacy on-chain is costly
protocols, aiming to identify as many of the malicious and the auditing relies on the auditors, which cannot
replicas as possible and in as distributed manner as automated. So in the future, research can focus on the
possible. various types of auditing operations with low cost and
The attack on PBFT leaders may suffer a heavy lost. the automated auditing.
However, the related works focus much on proposing
a new consensus mechanism to avoid the risk of PBFT, Collusion attack
while the deployment of leader node abnormal behav- Collusion attack is a type of security attack or threat in
ior awareness mechanism embedding in PBFT-based which a node intentionally makes a secret agreement
consortium chain is not sufficient. Such work is very with an adversary. If fewer nodes participate in the con-
important, because existing consortium blockchain pro- sortium chain, the success rate of collusion attacks will be
jects have already used PBFT consensus protocol, which higher. Though using double-chain architecture can per-
has many users. Due to the immutability of blockchain, ceive collusion attack to some extent, the main technical
updating the underlying consensus algorithm is costly, so methods are based on reputation schemes.
the future research can give attention on the automati- Yang et al. (2018) used Bayesian inference model to
cally abnormal behavior awareness of leader node and evaluate reputation scores which can detect the compro-
timely disposal. mised nodes and perceive the collusion attacks in time.
Timeliness of the scheme make it suitable for the internet Gu et al. (2018) proposed a double-chain architecture
of vehicles with consortium blockchain. It only takes less in 2018, which consists of a detection chain, deploy-
than 1 s to evaluate the reputation scores with high fea- ing multi-feature models to detect malicious behaviors
sibility but the reliability is exponent, i.e., unfair ratings on the data public chain, and a data public chain, which
increase exponentially as the number of malicious nodes stores data with transparency and integrity. This scheme
increase. It means that when there are too many mali- achieve high detection accuracy (F1 score is 93.5%) and
cious nodes, the system may cannot detect the collusion high speed in small scale with multi-institutions of super-
attack precisely. vision centers.
Huang et al. (2020) took a next step. They proposed a Wu et al. (2020a) proposed a double-chain architecture
scheme using the reputation chain to improve the perfor- in 2020, which consists of a transaction chain and a cus-
mance of the transaction chain which increases the reli- tody chain. As the core part of the system, the consor-
ability, i.e., unfair ratings increase linearly as the number tium blockchain is responsible for processing transaction
of malicious nodes increase. As they use another repu- collection, verification and packaging. As a participant in
tation chain, more than 20.4 s delay time is needed for the consensus process, the regulator directly participates
the chain updated, though they use sharding to improve in the operation of the consortium blockchain. Users’
chain’s throughput. complete transaction data encrypted is stored in the
To balance the feasibility and the reliability, Zhou blocks of the consortium blockchain for traceability and
et al. (2021) used smart contracts to evaluate reputation privacy preservation. There are only a few participants in
scores for the collusion attack awareness and control. The the consortium blockchain. In order to improve the cred-
scheme only uses less than 0.8 s to evaluate the reputa- ibility of the system, an anchor with the public chain can
tion scores with the reliability is constant, i.e., the repu- be considered. Store user status changing information
tation scores tend to be a constant as the rating number and the block hash of the consortium blockchain in the
increases. public blockchain, which can prevent the members of the
The common limitation of collusion attack awareness consortium blockchain from launching collusion attacks.
based on reputation schemes is it that the participants in Unfortunately, though their scheme achieve a satisfying
the consortium chain need to be sufficient or the reputa- accuracy, the recall rate is not practicable.
tion score may not reflect the collusion attacks precisely. The technology of “govern blockchains by blockchains”
To address this limitation, history data can be added in needs further development, and its development includes
the initialize phase. data collaboration on and off the chain. However, it
The methods for collusion attack awareness mainly is difficult to achieve such a huge amount of data in a
aims on the participants in the consortium chain who blockchain through traditional manual supervision and
have the write-permission. Reputation schemes detect awareness methods. It requires code to implement rules
collusion attack with the assumption that most par- and software for internal supervision. It is also a “game”
ticipants are honest. In our opinion, study can focus on process, which is a complex technological realization
merging the reputation schemes and history data into process (Hong et al. 2020).
one architecture and balance the cost, feasibility and The common limitation of double-chain architecture
reliability to aware collusion attacks and other unknown is it that the supervision chain only perceive one type of
attacks in the future. abnormal behavior and lacking of one supervision chain
integrates more types of abnormal behaviors. Maybe
“Govern blockchains by blockchains” we can use supervision chain with multi-classification
The academician of the Chinese Academy of Engineer- abnormal behaviors detection model deployed. There is
ing Chun Chen proposed the supervision technology still a long way to go to develop “govern blockchains by
model of “govern blockchains by blockchains”, i.e., using blockchains” into systemizing.
blockchain technology to govern the blockchain and its
applications (Chen 2020). This model is also applicable Blockchain security data sets summary
to the abnormal awareness of consortium blockchains. and analysis
By establishing a supervision blockchain and connecting In order to facilitate blockchain security researchers to
to the supernodes of the company blockchain projects, explore and make experiments on the blockchain secu-
it can detect the malicious behavior of each blockchain rity issues, we summarize 13 data sets (a total of 29 sub-
project through the supervision blockchain in time, and table information) on the mainstream blockchain.
finally deposit evidence on the supervision blockchain The current abnormal behavior awareness method of
permanently. the consortium blockchain is booming. Various research
objects are used while works on consortium chain mainly
Table 7 Blockchain security data sets summary and analysis
Dataset type Labeled or not Dataset name Dateset Data size Table name Table description Columns Columns Applicable scene Source
description number description
Transaction Yes Elliptic datasets Transaction graph 200,000 bitcoin Elliptic_ txs_classes Licit transactions 2 Transaction id and Money laundring Ellipic
(Elliptic 2019; Weber classifying the illicit transactions or not its class detection; Ponzi
et al. 2019) and licit nodes Elliptic_txs Nodes and edges 2 Source and destina- schemes detection
collected from the
(2022) 5:5
_edgelist tion transaction ids

Bitcoin blockchain
Elliptic_ txs_fea- Transactions 167 Transaction features
tures features
Transaction Phishing account 1262 phishing Address The node list for 7 Part of block head Phishing account Xblock
network of phishing information from accounts phishing detection information, trans- detection
nodes (Wu et al. Etherscan actions flow and
2020c; Yuan et al. contract address
2020) Ethereum-network Transaction sub- 4 Transactions flow
graph with time
The label of phish- The different attack 2881 phishing Phishing_label The different attack 4 Account classes
ing account on tags of phishing addresses tags of phishing and its balance
ethereum (Chen account account with transaction
et al. 2020) counts
Ethereum phishing A huge Ethereum 2,973,489 nodes, MulDiGraph The network 6 Transaction par-
transaction network transaction network 13,551,303 edges attributes ties are phishing
(Chen et al. 2020) extending from and 1165 labeled account or not and
phishing nodes nodes the transaction flow
reported in Ether-
scan
Bitcoin partial Snapshots 22,500,000 Bitcoin Blockhash Information of 4 Block head informa- Money laundering
transaction datasets containing partial transactions block tion detection; Mixing
(Wu et al. 2020b) transaction records txhash Transaction ID and 2 Transactions id with service detection
of Bitcoin transac- hash pairs its hash
tion data from 2014
to 2016 Addresses Bitcoin address ID 2 Address with its ID
and address pairs
tx Information of 5 Transaction flow
transaction with time and its
block id
txin List of all transac- 3 Input flow
tion inputs
txout List of all transac- 3 Output flow
tion outputs
Label Addresses of mix- 1 Addresses of mix-
ing services ing services
Page 22 of 27
No Ethereum on-chain Ethereum on-chain 10,999,999 blocks Block Ethereum block 14 Complete block Extracting
data (Zheng et al. data getting from information information head information and exploring
2020) the Ehtereum full Ethereum
(2022) 5:5
Normal transaction Normal transac- 10 Transaction flow

node tions information with block head
and gas informa-
tion
Internal EtherTrans- Smart contract 8 Contracts execu-
action execution transaction flow with its
tions information re-lated transac-
tions and block
information
ContractInfo Contract informa- 11 Contracts informa-
tion tion in its whole
lifetime
ContractCall Contract calling 11 Contracts calling
flow with calling
function, type and
status
ERC20 transaction ERC20 token trans- 7 Transaction flow in
action information ERC20
ERC721 transaction ERC721 token 7 Transaction flow in
transaction infor- ERC721
mation
Contract Yes Smart Ponzi Labels of smart 3794 contracts Ponzi_label The labels of 2 Contract type Ponzi schemes Xblock
scheme labels Ponzi contracts by labels whether a contract detection
(Chen et al. 2018) manually check is a smart Ponzi
scheme
DEFIER extended Labels of attack 92,644 Labels of Stage_labels The labels of which 4 DApp’s attack DApp events Institute of Informa-
DApp event Dataset stages on contracts attack stages on attack stages stages with its detection tion Engineering,
(Su et al. 2021) calling flow of contracts calling (using the kill chain transaction lists CAS
DApps flow model) the contract
calling flow at
No Smart contract All open source 14,000 contracts Open source All open source 9 Contract basic Ponzi schemes Xblock
attribute dataset contracts in opening source in contract info contracts in information with detection
(Huang et al. 2019) Ethereum Ethereum Ethereum contract code and
transactions in it
Page 23 of 27
(2022) 5:5
Market No Ether price and Price and Volume 7892 market data 4 h_data_eth Market data 8 High and low price Ether market cau- Xblock
volume dataset from 2015 to 2019 about Ether about Ether as the and volume of sality analysis
(Han et al. 2020) of Ether exchange rate is Ether
ETH/USDT
Bitcoin price and Price and Volume 7892 market data 4 h_data_btc Market data about 8 High and low price Bitcoin market
volume dataset from 2015 to 2019 about Bitcoin Bitcoin as the and volume of causality analysis
(Han et al. 2020) of Ether exchange rate is Bitcoin
BTC/USDT
Mt.Gox leaked Transaction data Mt.Gox leaked Complete_edge_ Transactions of 8 Transaction flow Bitcoin market user
transaction (Chen leaked by Mt.Gox transactions from v2 bitcoin market with users’ type behavior analysis
et al. 2019) exchange 2012 to 2013
Activity information Information about 1,400,000 DApp’s Radar Activity information 15 DApp’s basic DApp activity
of DApps (Zheng DApps’activity activity information of DApps on Dap- information, analysis
et al. 2017) pRadar transactions and
contracts in it and
users information
State_of_the_dapp Activity information 28 DApp’s state
of DApps on State information,
of the Dapps transactions and
contracts in it and
users information
Page 24 of 27
use data such as self-built prototypes. There is no stand- • Blockchain cross-space identity association technol-
ard public data set on consortium chain, so this chapter ogy: For the healthy and long-term development of
mainly introduces the data set on the public chain. the blockchain, the contradiction between its ano-
According to the type of data sets, it is divided into nymity and the requirement for real-name supervi-
transaction data sets, contract data sets and market sion needs to be resolved. It is difficult to aggregate
data sets. Each type of data sets is divided into labeled a large number of anonymous accounts on the block-
and unlabeled. The specific data sets’ names, descrip- chain, and it is necessary to consider the association
tions, scales, attributes, sources and etc. are shown in of the on-chain identities, especially with the help
the following Table 7. At the same time, we also propose of the access mechanism of the consortium block-
possible application scenarios for each data set for the chain. We can study the correspondence between the
reference of security researchers. identity of the physical space and the identity on the
blockchain, in order to open up the “physical-virtual”
Conclusion space.
We discuss the behavior awareness work of public block- • Blockchain dynamic monitoring and analysis technol-
chains and consortium blockchains. Researchers have ogies: The existing research on the supervision and
already done related work in this field, but blockchain governance technology of the blockchain still needs
behavior awareness field is still in its infancy. Therefore, to be further promoted. Therefore, future works can
this research direction still needs more work. Combining face the security risks existing in the blockchain ecol-
the above-mentioned limitation of awareness methods, ogy, study the regulatory technical framework and
we give some possible directions for future research on refine in-depth analysis, dynamic monitoring and
blockchain behavior awareness. identification technology, and achieve the accurate
awareness of abnormal behaviors on the blockchain
• Blockchain interactive behavior modeling and process- ecology and timely disposal of malicious behaviors.
ing: The existing abnormal behavior awareness work
on the blockchain usually starts with a single node of
Acknowledgements
information, and may ignore the interaction behavior Not applicable.
information between nodes or even between chains.
However, the blockchain is a social network. Trans- Authors’ contributions
All authors have contributed to this manuscript and approve of this submis-
action behavior is essentially an interaction behavior. sion. CY participated in all the work and drafting the article. ZW and CZ did
New interaction behaviors may be the pre-stage of a some basic collection work. Prof. YL, ZL and BL made a decisive contribution
certain attack. Therefore, it is important to perceive to the content of research and revising the article critically. All authors read
and approved the final manuscript.
potential threats brought by interaction behavior in
time. In the future, works can further explore how Funding
to model the interaction behavior between various This research is supported by National Key Research and Development Pro-
gram of China (Nos. 2021YFF0307203 and 2019QY1300), Youth Innovation Pro-
data on the chain, analyze the dynamic features of the motion Association CAS (No. 2021156), the Strategic Priority Research Program
interaction behavior, and design a recognition tech- of Chinese Academy of Sciences (No. XDC02040100) and National Natural Sci-
nology that can self-adapt to behavior changes on the ence Foundation of China (No. 61802404). This work is also supported by the
Program of Key Laboratory of Network Assessment Technology, the Chinese
chain. Academy of Sciences, Program of Beijing Key Laboratory of Network Security
• Blockchain abnormal behavior fine-grained aware- and Protection Technology.
ness: The awareness methods of abnormal behavior
Availability of data and materials
on the existing blockchain is usually aiming at a sin- Not applicable.
gle abnormal behavior, and the awareness of multiple
behaviors results are unsatisfactory. Therefore, future Declarations
work can further analyze various abnormal behav-
iors on the chain, deepen their understanding and Competing interests
The authors declare that they have no competing interests.
characterization, integrate the features of different
behaviors, and combine machine learning and deep Author details
1
learning methods to design fine-grained awareness Institute of Information Engineering, Chinese Academy of Sciences, Bei-
jing 100093, China. 2 School of Cyber Security, University of Chinese Academy
methods and models of various abnormal behaviors of Sciences, Beijing 100049, China.
on the chain.
Received: 7 September 2021 Accepted: 21 December 2021 Gervais A, Karame GO, Wüst K, Glykantzis V, Ritzdorf H, Capkun S (2016) On the
security and performance of proof of work blockchains. In: Proceedings
of the 2016 ACM SIGSAC conference on computer and communications
security. pp 3–16
Gong J, Zang X, Su Q, Hu X, Xu J (2017) Survey of network security situation
awareness. J Softw 28(4):1010–1026
References Groth J, Sahai A (2008) Efficient non-interactive proof systems for bilinear
Alangot B, Reijsbergen D, Venugopalan S, Szalachowski P (2020) Decentralized groups. In: Springer (ed.) Annual international conference on the theory
lightweight detection of eclipse attacks on bitcoin clients. In: 2020 IEEE and applications of cryptographic techniques, pp 415–432
international conference on blockchain (blockchain). IEEE, pp 337–342 Gu J, Sun B, Du X, Wang J, Zhuang Y, Wang Z (2018) Consortium blockchain-
Alharthi A, Ni Q, Jiang R (2021) A privacy-preservation framework based on based malware detection in mobile devices. IEEE Access 6:12118–12128
biometrics blockchain (BBC) to prevent attacks in VANET. IEEE Access Guegan, D.: Public blockchain versus private blockhain (2017)
9:87299–87309 Guo, Z., Guo, S., Zhang, S., Song, L., Wang, H.: Analysis of cross-chain technol-
Ao X, Liu Y, Qin Z, Sun Y, He Q (2021) Temporal high-order proximity aware ogy of blockchain. Chin J Internet Things 35–48 (2020)
behavior analysis on Ethereum. World Wide Web, pp 1–21 Han J, Zou J, Jiang H, Xu Q (2018) Research on mining attacks in bitcoin. J
Arp D, Spreitzenbarth M, Hubner M, Gascon H, Rieck K, Siemens C (2014) Cryptol Res 5(5):470–483
Drebin: Effective and explainable detection of android malware in your Han Q, Wu J, Zheng Z (2020) Long-range dependence, multi-fractality and
pocket. Ndss 14:23–26 volume-return causality of ether market. Chaos Interdiscip J Nonlinear Sci
Ateniese G, Faonio A, Magri B, De Medeiros B (2014) Certified bitcoins. In: 30(1):011101
International conference on applied cryptography and network security. Heilman E, Kendler A, Zohar A, Goldberg S (2015) Eclipse attacks on bitcoin’s
Springer, pp 80–96 peer-to-peer network. In: 24th {USENIX} security symposium ( {USENIX}
Attorney O (2019) Manhattan U.S. Attorney announces charges against leaders security 15), pp 129–144
of “OneCoin,” a multibillion-dollar pyramid scheme involving the sale of Hong X, Wang Y, Liao F (2020) Review on the technology research of block-
a fraudulent cryptocurrency (2019). https://www.justice.gov/usao-sdny/ chain security supervision. Bulletin of National Natural Science Founda-
pr/manhattan-us-attorney-announces-charges-against-leaders-onecoin- tion of China 34(01):18–24
multibillion-dollar Accessed 8 March Hope-Bailie A, Thomas S (2016) Interledger: Creating a standard for payments.
Bartoletti M, Carta S, Cimoli T, Saia R (2020) Dissecting Ponzi schemes on In: Proceedings of the 25th international conference companion on
Ethereum: identification, analysis, and impact. Future Gener Comput Syst world wide web. pp 281–282
102:259–277 Hu Y, Seneviratne S, Thilakarathna K, Fukuda K, Seneviratne A (2019) Character-
Baumgart I, Heep B, Krause S (2007) Oversim: a flexible overlay network izing and detecting money laundering activities on the bitcoin network.
simulation framework. In: 2007 IEEE global internet symposium. IEEE, pp arXiv:1912.12060
79–84 Huang B, Liu Z, Chen J, Liu A, Liu Q, He Q (2017) Behavior pattern clustering in
Chen C (2020) The key technologies of consortium blockchain and the super- blockchain networks. Multimed Tools Appl 76(19):20099–20110
vision challenges of blockchain. China Ind Inf Technol 2020(11):54–58 Huang C, Wang Z, Chen H, Hu Q, Zhang Q, Wang W, Guan X (2020) Repchain:
Chen L, Peng J, Liu Y, Li J, Xie F, Zheng Z (2020) Phishing scams detection in a reputation-based secure, fast, and high incentive blockchain system via
Ethereum transaction network. ACM Trans Internet Technol 21(1):1–6 sharding. IEEE Internet Things J 8(6):4291–4304
Chen W, Zheng Z, Cui J, Ngai E, Zheng P, Zhou Y (2018) Detecting Ponzi Huang Y, Kong Q, Jia N, Chen X, Zheng Z (2019) Recommending differenti-
schemes on Ethereum: towards healthier blockchain technology. In: ated code to support smart contract update. In: Proceedings of the 27th
Proceedings of the 2018 world wide web conference. pp 1409–1418 international conference on program comprehension, pp 260–270
Chen W, Wu J, Zheng Z, Chen C, Zhou Y (2019) Market manipulation of bitcoin: Ismail H, Germanus D, Suri N (2015) Detecting and mitigating p2p eclipse
Evidence from mining the Mt. Gox transaction network. In: IEEE confer- attacks. In: 2015 IEEE 21st international conference on parallel and distrib-
ence on computer communications. pp 964–972 uted systems (ICPADS). IEEE, pp 224–231
Chen W, Guo X, Chen Z, Zheng Z, Lu Y (2020) Phishing scam detection on Krupp J, Rossow C. (2018) teether: Gnawing at Ethereum to automatically
Ethereum: towards financial security for blockchain ecosystem. In: exploit smart contracts. In: 27th {USENIX} security symposium ( {USENIX}
International joint conferences on artificial intelligence organization. pp security 18), pp 1317–1333
4506–4512 Kwon J, Buchman E. (2018) A network of distributed ledgers. Cosmos Dated
Chicarino V, Albuquerque C, Jesus E, Rocha A (2020) On the detection of self- 1–41
ish mining and stalker attacks in blockchain networks. Ann Telecommun Lei K, Zhang Q, Xu L, Qi Z (2018) Reputation-based byzantine fault-tolerance
75:143–152 for consortium blockchain. In: IEEE (ed.) 2018 IEEE 24th international
CNCERT/CC (2020) 2020 Blockchain security situation perception report. conference on parallel and distributed systems (ICPADS), pp 604–611
https://bc.cnvd.org.cn/notice_info?num=0c4088bbb6f7346000c3ac1ce Li D (2020) Discussion on block chain ecological construction based on china’s
13f0347 Accessed 5 Mar 2021 independent and controllable basic public block chain. Inf Sec Technol
Community B (2020) Beam: the scalable confidential cryptocurrency. 2 Feb 9(9):6–9
2020. https://docs.beam.mw/BEAM_Position_Paper_0.3.pdf Li P, Xu H (2020) Blockchain user anonymity and traceability technology. J
de BT, Hernandez-Castro J (2017) An analysis of bitcoin laundry services. In: Electron Inf Technol 42(5):1061–1067
Springer (ed.) Nordic conference on secure IT systems. pp 297–312 Li P, Xu H, Ma T (2021) An efficient identity tracing scheme for blockchain-
Douceur JR (2002) The sybil attack. In: International workshop on peer-to-peer based systems. Inf Sci 561:130–140
systems. Springer, pp 251–260 Li P, Xu H, Ma T (2021) Research progress of blockchain privacy protection and
El Defrawy K, Lampkins J (2014) Founding digital currency on secure computa- supervision technology. J Cyber Sec 6(3):159–168
tion. In: Proceedings of the 2014 ACM SIGSAC conference on computer Liu JK, Wei VK, Wong DS (2004) Linkable spontaneous anonymous group
and communications security, pp 1–14 signature for ad hoc groups. In: Australasian conference on information
Elliptic: Elliptic data set (2019) https://www.elliptic.co security and privacy. Springer, pp 325–335
Eyal I, Sirer EG (2014) Majority is not enough: bitcoin mining is vulnerable. In: Lorenz J, Silva MI, Aparício D, Ascensão JT, Bizarro P (2020) Machine learning
International conference on financial cryptography and data security. methods to detect money laundering in the bitcoin blockchain in the
Springer, pp 436–454 presence of label scarcity. arXiv:2005.14635
Frankenfield J (2019a) 51% Attack. 6 May 2019. https://www.investopedia. Lu Q, Xu X (2017) Adaptable blockchain-based systems: a case study for prod-
com/terms/1/51-attack.asp uct traceability. IEEE Softw 34(6):21–27
Frankenfield J. (2019b) Selfish mining. 1 Apr 2021. https://www.investopedia. Marcus Y, Heilman E, Goldberg S (2018) Low-resource eclipse attacks on
com/terms/s/selfish-mining.asp Ethereum’s peer-to-peer network. IACR Cryptol ePrint Arch 2018:236
Fujisaki E, Suzuki K (2007) Traceable ring signature. In: International workshop Mehar MI, Shier CL, Giambattista A, Gong E, Fletcher G, Sanayhie R, Kim HM,
on public key cryptography. Springer, pp 181–200 Laskowski M (2019) Understanding a revolutionary and flawed grand
experiment in blockchain: the Dao attack. J Cases Inf Technol (JCIT) Wu G, Yu P, Wang K (2020) Transaction regulatory research on double-chain
21(1):19–32 blockchain. Comput Eng Appl 56:116–123
Monamo P, Marivate V, Twala B (2016) Unsupervised learning for robust bitcoin Wu J, Liu J, Chen W, Huang H, Zheng Z, Zhang Y (2020) Detecting mixing
fraud detection. In: 2016 information security for South Africa (ISSA). IEEE, services via mining bitcoin transaction network with hybrid motifs. arXiv:
pp 129–134 2001.05233
Nakamoto S (2008) Bitcoin: a peer-to-peer electronic cash system. Decentral- Wu J, Yuan Q, Lin D, You W, Chen W, Chen C, Zheng Z (2020) Who are the
ized Bus Rev 21260 phishers? Phishing scam detection on Ethereum via network embedding.
Narula N, Vasquez W, Virza M (2018) zkledger: privacy-preserving auditing for IEEE Tran Syst Man Cybern Syst
distributed ledgers. In: 15th {USENIX} symposium on networked systems Xi R, Yun X, Jin S, Zhang Y (2012) Research survey of network security situation
design and implementation ( {NSDI} 18), pp 65–80 awareness. J Comput Appl 32(01):1–4
Orcutt M (2020) Criminals laundered \$2.8 billion in 2019 using crypto Xu G, Guo B, Su C, Zheng X, Liang K, Wong DS, Wang H (2020) Am i eclipsed? a
exchanges, finds a new analysis (2020). https://www.technologyreview. smart detector of eclipse attacks for Ethereum. Comput Secur 88:101604
com/2020/01/16/130843/cryptocurrency-money-laundering-exchanges/ Yang X (2020) Research of blockchain ecology security challenges and solu-
Accessed 16 January tions. Inf Secur Technol 11(3):50–55
Ostapowicz M, Żbikowski K (2020) Detecting fraudulent accounts on Yang Z, Yang K, Lei L, Zheng K, Leung VC (2018) Blockchain-based decentral-
blockchain: a supervised approach. In: International conference on web ized trust management in vehicular networks. IEEE Internet Things J
information systems engineering. Springer, pp 18–31 6(2):1495–1505
Pham T, Lee S (2016) Anomaly detection in bitcoin network using unsuper- Yuan Z, Yuan Q, Wu J (2020)Phishing detection on Ethereum via learning
vised learning methods. arXiv:1611.03941 representation of transaction subgraphs. In: Blockchain and trustworthy
Pongor G (1993) Omnet: objective modular network testbed. In: Proceedings systems, pp 178–191
of the international workshop on modeling, analysis, and simulation on Zhang R, Preneel B (2017) Publish or perish: a backward-compatible defense
computer and telecommunication systems, MASCOTS’93, San Diego, CA, against selfish mining in bitcoin. In: Cryptographers’ track at the RSA
USA. Society for Computer Simulation International, pp 323–326 conference. Springer, pp 277–292
Radix (2018) What is an eclipse attack? 7 June 2018. https://www.radixdlt.com/ Zhang Y, Lou Y (2021) Deep neural network based Ponzi scheme contract
post/what-is-an-eclipse-attack detection method. Comput Sci 48(1):273–279
Rubixi (2016) Rubixi smart contract. https://bitcoindtalk.org/index.php?topic= Zhao G, Xie Z, Wang X, He J, Zhang C, Lin C, Zhou Z, Chen B, Rong C (2020)
1400536.0 Accessed 14 Mar 2016 Contractguard: defend Ethereum smart contract with embedded intru-
Saad M, Njilla L, Kamhoua C, Mohaisen A (2019) Countering selfish mining in sion detection. Chin J Netw Inf Secur 6(2):35–55
blockchains. In: 2019 international conference on computing, network- Zheng H, Wu Q, Qin B, Zhong L, He S, Liu J (2018) Linkable group signature
ing and communications (ICNC). IEEE, pp 360–364 for auditing anonymous communication. In: Australasian conference on
Sayadi S, Rejeb SB, Choukair Z (2019) Anomaly detection model over information security and privacy. Springer, pp 304–321
blockchain electronic transactions. In: 2019 15th international wireless Zheng P, Zheng Z, Wu J, Dai H-n (2020) Xblock-eth: Extracting and exploring
communications and mobile computing conference (IWCMC). IEEE, pp blockchain data from Ethereum. IEEE Open J Comput Soc 1:95–106
895–900 Zheng Z, Xie S, Dai H, Wang H (2017) An overview of blockchain technology:
Shen J, Zhou J, Xie Y, Yu S, Xuan Q (2021) Identity inference on blockchain architecture, consensus, and future trends. In: 2017 IEEE international
using graph neural. Network 2104:06559 congress on big data (BigData Congress). pp 557–564
Shen M, Sang A, Zhu L, Sun R, Zhang C (2021) Abnormal transaction behavior Zhou Z, Wang M, Yang C-N, Fu Z, Xin S, Wu QJ (2021) Blockchain-based decen-
recognition based on motivation analysis in blockchain digital currency. tralized reputation system in e-commerce environment. Future Gener
Chin J Comput 1:193–208 Comput Syst 124:155–167
Sheng P, Wang G, Nayak K, Kannan S, Viswanath P (2021) BFT protocol foren-
sics. In: Proceedings of the 2021 ACM SIGSAC conference on computer
and communications security. pp 1722–1743 Publisher’s Note
Shultz BL, Bayer D (2015) Certification of witness: mitigating blockchain fork Springer Nature remains neutral with regard to jurisdictional claims in pub-
attacks. Undergraduate Thesis in Mathematics, Columbia University in the lished maps and institutional affiliations.
City of New York (2015)
Skuchain Forum, W.E.: Inclusive Deployment of Blockchain for Supply Chains
(2019). https://www.weforum.org/whitepapers/inclusive-deployment-
of-blockchain-for-supply-chains-part-protecting-your-data Accessed 5
June 2019
Su L, Shen X, Du X, Liao X, Wang X, Xing L, Liu B (2021) Evil under the sun:
understanding and discovering attacks on Ethereum decentralized appli-
cations. In: 30th {USENIX} security symposium ( {USENIX} security 21)
Torres CF, Steichen M et al (2019) The art of the scam: demystifying honeypots
in Ethereum smart contracts. In: 28th {USENIX} security symposium ( {
USENIX} Security 19), pp 1591–1607
Vasek M, Moore T (2015) There’s no free lunch, even using bitcoin: Tracking the
popularity and profits of virtual currency scams. In: Springer (ed.) Interna-
tional conference on financial cryptography and data security, pp 44–61
Voell Z (2020) Ethereum classic hit by third 51% attack in a month. https://
www.coindesk.com/ethereum-classic-blockchain-subject-to-yet-anoth
er-51-attack Accessed 30 Aug 2020
Weber M, Domeniconi G, Chen J, Weidele DKI, Bellei C, Robinson T, Leiserson
CE (2019) Anti-money laundering in bitcoin: Experimenting with graph
convolutional networks for financial forensics. arXiv:1908.02591
Wei A (2018) Public blockchain technology and its application value. Internet
Econ 7:26–31
Wikipedia (2021a) Money laundering. 8 July 2021. https://en.wikipedia.org/w/
index.php?title=Money_laundering&oldid=1032228344
Wikipedia (2021b) Ponzi scheme. https://en.wikipedia.org/w/index.php?title=
Ponzi_scheme&oldid=1030419781. Accessed 8 July 2021

Blockchain Abnormal Behavior Awareness Methods: A Survey

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Blockchain Abnormal Behavior Awareness Methods: A Survey

Uploaded by

Copyright:

Available Formats

Yan

et al. Cybersecurity (2022) 5:5

SURVEY Open Access